Have you heard? Yahoo recently changed their email acceptance policy – and it could affect you!

Yahoo recently changed their email acceptance policy to combat yahoonetwork attacks against their users from bad people using a yahoo.com addresses that are not sent via a yahoo.com server.   Yahoo’s decision to reject this class of email fixes their problem but breaks everyone else who sends legitimate email via an Email Service Provider (ESP).

Yahoo has been fighting ongoing phishing attacks for a long time.  These attacks attempt to compromise legitimate yahoo user accounts.  Once compromised the hacker can then send SPAM and phishing emails to the members of the contact list of the compromised account.  Ever receive email FROM: (anyone@yahoo.com) containing a link and a message that encourages you to click on it?  Just another phishing attempt.

Yahoo has control over their own computers but not others.  Even though Yahoo has curtailed SPAM and phishing emails oozing out of their servers, hackers seem to always find a way, as they figured out how to continue to send email FROM: anbody@yahoo.com addresses using non-Yahoo servers.

In response to the hacker community, Yahoo has sent an alert to other ISP’s, using their new DMARC policy, essentially telling other ISPs not to accept any email sending with a FROM: @yahoo.com address unless that email originates from a Yahoo server.  So imagine what can happen if you are a list owner emailing with your favorite ESP (Email Service Provider) and using your Yahoo account for your list FROM address.  Your list of thousands of emails may be blocked,-never delivered.  Not good news for you, and, no news for your subscribers.

So what is the DMARC policy that allows Yahoo to stop the mail?

DMARC policy (Domain-based Message Authentication, Reporting and Conformance) sets the technical specifications on how to implement SPF, DKIM and other verification mechanisms in a uniform way. It keeps everyone on the same page. It could be viewed as the instruction book when setting up email authentication.  Consequently,   ISP’s checking DMARC records will most likely follow Yahoo’s recommendations, in this case not to accept any email sending with a FROM: @yahoo.com address unless that email originates from a Yahoo server

Legitimate email marketers and other email list owners will find that this action not only breaks mailing lists using a FROM: anybody@ yahoo.com address, but unfortunately,  interferes with emails using a Gmail, Hotmail, Comcast and other FROM addresses.

With this new policy, when a Yahoo user sends an email to a mailing list (i.e. Discussion list hosted at an ESP in this example) the list’s server distributes that message to all the list members, changing the headers which break the DMARC alignment. (“The authentication has to be from the same domain (or a sub-domain) as the address in the header-FROM: line”) Subscribers with accounts on other services, such as Hotmail, that perform a DMARC check will then fail also rejecting the original email.

What’s a Email List owner to do?

Some recommendations include complaining to Yahoo or not use a Yahoo From Address. Changing from a Yahoo From address seems to be the way to go.

Need to know more?  Contact Dunde@mail Services